Join the community today
Become a Member

CSF Rsync not working with csf enabled

Discussion in 'Other Centmin Mod Installed software' started by pamamolf, Jun 5, 2016.

  1. pamamolf

    pamamolf Well-Known Member

    2,820
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    5:21 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Hi

    I have a server 2 that has a simple rsync script that sync a folder from server 1 to a folder from server 2.....

    But when i enable csf firewall on server 2 then is not working :(

    When i disable it all are working fine ....

    Any ideas?

    Thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,945
    6,914
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,411
    Local Time:
    1:21 AM
    Nginx 1.13.x
    MariaDB 5.5
    if you changed sshd ports on either source or destination, then the ports need to be whitelisted on both servers' firewalls
     
  3. SeaTea

    SeaTea Premium Member Premium Member

    49
    13
    8
    Feb 20, 2015
    the Netherlands
    Ratings:
    +28
    Local Time:
    4:21 PM
    Nginx:1.11
    MariaDB-10
    Just add the ip-adress of the other server in 'csf.allow' if you don't want to open ports for everyone.
    If you don't want all ports open for another hosts, just open one port.
    Code (Text):
    tcp|in|d=12345|s=52.1.2.3


    In this example you only open port 12345 for source-ip 52.1.2.3

    I am using csf together with lfd (which watches files and suspicious log activity). I control both via webmin which has a good web-interface for it. This is sometimes handy if I do not have a ssh client available.
     
    • Informative Informative x 2
  4. eva2000

    eva2000 Administrator Staff Member

    30,945
    6,914
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,411
    Local Time:
    1:21 AM
    Nginx 1.13.x
    MariaDB 5.5
    very nice tip regarding csf firewall @SeaTea (y)
     
    • Informative Informative x 1
  5. pamamolf

    pamamolf Well-Known Member

    2,820
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    5:21 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Thanks @SeaTea :)

    Yes i use custom ports :)

    Let's say main server 1 port 1000 for ssh and ip 123.456.789.000 and server 2 the one that i run the script and connects to main server ssh port 1111 and ip 111.222.333.444 then should i use :

    server 1 edit csf.allow:
    Code:
    tcp|in|d=1111|s=111.222.333.444
    and

    server 2 edit csf.allow:
    Code:
    tcp|in|d=1000|s=123.456.789.000
    Correct ?
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,945
    6,914
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,411
    Local Time:
    1:21 AM
    Nginx 1.13.x
    MariaDB 5.5
  7. pamamolf

    pamamolf Well-Known Member

    2,820
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    5:21 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Confused :(

    So do i need to enable on each server two rules each?

    One for incoming and one for outgoing ?

    like:

    server 1 edit csf.allow:
    Code:
    tcp|in|d=1111|s=111.222.333.444
    tcp|out|d=1111|s=111.222.333.444


    and

    server 2 edit csf.allow:
    Code:
    tcp|in|d=1000|s=123.456.789.000
    tcp|out|d=1000|s=123.456.789.000
    ?
     
  8. pamamolf

    pamamolf Well-Known Member

    2,820
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    5:21 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Actually these settings if they allow only the specified ip to connect to the ssh port then is not what i want :(

    I just need both servers to use existing ssh ports and let anyone to use the ports as it is now ......

    Also it should work as i have on csf config file in TCP_IN and TCP_OUT the port open but it doesn't work :(

    I also add the ip of server 1 to server 2 allow file of csf to avoid any ip blocks and the opposite...
     
    Last edited: Jun 6, 2016
  9. eva2000

    eva2000 Administrator Staff Member

    30,945
    6,914
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,411
    Local Time:
    1:21 AM
    Nginx 1.13.x
    MariaDB 5.5
    then my original suggestion stands open TCP_IN/OUT for the ports rsync connects to
    pay attention to examples and s= vs d= for source and destination

    check /var/log/messages for diagnostics info etc for what is being blocked etc
     
  10. pamamolf

    pamamolf Well-Known Member

    2,820
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    5:21 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok i found that rsync port is 873 using:

    Code:
    grep rsync /etc/services
    So if i enable this port for tcp/udp in/out on the firewall it may work ?

    Don't see the reason to open an extra port....

    I prefer to use default ssh ports and not 873 :(

    So is this ok?

    server 1 edit csf.allow:
    Code:
    tcp|in|d=1000|s=111.222.333.444
    tcp|out|d=1111|s=111.222.333.444

    and

    server 2 edit csf.allow:
    Code:
    tcp|in|d=1111|s=123.456.789.000
    tcp|out|d=1000|s=123.456.789.000
     
    Last edited: Jun 6, 2016
  11. eva2000

    eva2000 Administrator Staff Member

    30,945
    6,914
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,411
    Local Time:
    1:21 AM
    Nginx 1.13.x
    MariaDB 5.5
    i've never had to open port 873 for rsync to work once i setup csf whitelisted ports
     
  12. pamamolf

    pamamolf Well-Known Member

    2,820
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    5:21 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Yes but the new ssh port is already changed using Centminmod menu and it auto add the new port on the csf config file...

    But this is not enough for rsync to work :(

    It's server has it's own new ssh port open on the csf config file.

    Or do you mean to add also the server 2 ssh port on the server 1 csf config file and the opposite?
     
  13. eva2000

    eva2000 Administrator Staff Member

    30,945
    6,914
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,411
    Local Time:
    1:21 AM
    Nginx 1.13.x
    MariaDB 5.5
    centmin.sh menu option to change sshd port only adds new ports whitelisting for TCP_IN (inbound) only, it does not added white listing for port on TCP_OUT (outbound) on same server and does not setup on destination server's csf firewall for TCP_IN (inbound)

    both source and destination servers need their respective CSF firewall's port whitelisting for their respective directions of rsync communication's destination and source ports
    Code (Text):
    server1 (sshd port XX)
    server2 (sshd port YY)
    
    server1 TCP_OUT (port YY) ==> server2 TCP_IN (port YY)
    server2 TCP_OUT (port XX) ==> server1 TCP_IN (port XX)
    
     
    Last edited: Jun 6, 2016
  14. pamamolf

    pamamolf Well-Known Member

    2,820
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    5:21 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Server1 then:
    Code:
    TCP_IN 1000
    TCP_OUT 1111
    and

    server2 :
    Code:
    TCP_IN 1111
    TCP_OUT 1000
    Don't say that i didn't got it now :)
     
    Last edited: Jun 6, 2016
  15. pamamolf

    pamamolf Well-Known Member

    2,820
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    5:21 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Didn't see your edit with the sample when i post it :)

    I think that my example above will work :)
     
  16. YuchiRO

    YuchiRO Member

    93
    6
    8
    Jan 12, 2015
    Ratings:
    +8
    Local Time:
    10:21 PM
    5.5.4
    I made same config as eva2000 sugguest:

    sv1 - ssh 1111 ip 1.1.1.1
    sv2 - ssh 2222 ip 2.2.2.2

    CSFallow sv1
    tcp|in|d=1111|s=2.2.2.2
    tcp|out|d=2222|s=2.2.2.2

    CSFallow sv2
    tcp|in|d=2222|s=1.1.1.1
    tcp|out|d=1111|s=1.1.1.1

    and csf -r both server but i cant rsync. So, what's i missing ?
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,945
    6,914
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,411
    Local Time:
    1:21 AM
    Nginx 1.13.x
    MariaDB 5.5
    check for clues in /var/log/lfd.log and /var/log/messages for your servers ips related entries

    what rsync command and errors ?
     
  18. YuchiRO

    YuchiRO Member

    93
    6
    8
    Jan 12, 2015
    Ratings:
    +8
    Local Time:
    10:21 PM
    5.5.4
    rsync -avz --progress -e "ssh -p 1111" root@1.1.1.1:/home/nginx/domains/domain.com/public/* .

    ssh: connect to host 1.1.1.1 port 1111: Connection timed out
    rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
    rsync error: unexplained error (code 255) at io.c(605) [Receiver=3.0.9]
     
  19. eva2000

    eva2000 Administrator Staff Member

    30,945
    6,914
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,411
    Local Time:
    1:21 AM
    Nginx 1.13.x
    MariaDB 5.5
    1. check for clues in /var/log/lfd.log and /var/log/messages for your servers ips related entries
    2. check if either server ips are blocked in respective csf firewall via grep command
    Code (Text):
    csf -g ipaddress

    3. can you ssh into other server and vice versa via ssh from one server to another ?
     
  20. eva2000

    eva2000 Administrator Staff Member

    30,945
    6,914
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,411
    Local Time:
    1:21 AM
    Nginx 1.13.x
    MariaDB 5.5
    were these added to /etc/csf/csf.allow ?